Page 417
Page 418
Assuming you're not the curious type and haven't flipped your way back here, you are probably here looking for some information on the program known as Pretty Good Privacy, or PGP.
PGP, or Pretty Good Privacy, is a program that is intended to help make electronic mail more secure. It does this by using a sophisticated technique known as public key encryption.
If you find yourself wondering what electronic mail and making information unreadable by spies have to do with RPM, you have a good point. However, although PGP's claim to fame is the handling of e-mail in total privacy, it has some other tricks up its sleeve.
As mentioned earlier, PGP uses public key encryption to do some of its magic. You might guess from the name that this type of encryption involves keys of some sort. But, as you might imagine, these are not keys that you can copy at the local hardware store. They are numbers—really large numbers. Here's what a key might look like (when we say that keys are numbers, we aren't lying even though the sample key doesn't look like a number; it has been processed so that it can be concisely displayed using only printable characters):
----BEGIN PGP PUBLIC KEY BLOCK---- Version: 2.6.2 mQCNAzEpXjUAAAEEAKG4/V9oUSiDc9wIge6Bmg6erDGCLzmFyioAho8kDIJSrcmi F9qTdPq+fj726pgW1iSb0Y7syZn9Y2lgQm5HkPODfNi8eWyTFSxbr8ygosLRClTP xqHVhtInGrfZNLoSpv1LdWOme0yOpOQJnghdOMzKXpgf5g84vaUg6PHLopv5AAUR tCpSZWQgSGF0IFNvZnR3YXJlLCBJbmMuIDxyZWRoYXRAcmVkaGF0LmNvbT6JAFUD BRAxc0xcKO2uixUx6ZEBAQOfAfsGwmueeH3WcjngsAoZyremvyV3Q8C1YmY1EZC9 SWkQxdRKe7n2PY/WiA82Mvc+op1XGTkmqByvxM9Ax/dXh+peiQCVAwUQMXL7xiIS axFDcvLNAQH5PAP/TdAOyVcuDkXfOPjN/TIjqKRPRt7k6Fm/ameRvzSqB0fMVHEE 5iZKi55Ep1AkBJ3wX257hvduZ/9juKSJjQNuW/FxcHazPU+7yLZmf27xIq7E0ihW 8zz9JNFWSA9+8vlCMBYwdP1a+DzVdwjbJcnOu3/Z/aCY2lYi9U45PzmtU8iJAJUD BRAxU9GUGXO+IyM0cSUBAbWfA/9+lVfqcpFYkJIV4HuV5niVv7LW4ywxW/SftqCM lXDXdJdoDbrvLtVYIGWeGwJ6bES6CoQiQjiW7/WaC3BY9ZITQE4hWOPQADzOnZPQ fdkIIxuIUAUnU/YarasqvxCs5v/TygfWUTPLPSP+MqGqJcDF2UHXCiNAHrItse9M h7etkYkAdQMFEDEp61/Nq6IpInoskQEB538C+wSIaCNNDOGxlxS5E2tClXRwMYf0 ymuKXs/srvIUjOO7xuIH4K7qcSSdI4eUwuXy6w5tWWR3xZ/XiygcLtKMi2IZIq0j wmFq7MEk+Xp8MN7Icawkqj1/1p0p4EwKKkIU64kAlQMFEDEp6pZEcVNogr/H7QEB jp4D/iblfiCzVTA5QhGeWOj1rRxWzohMvnngn29IJgdnN3zuQXB1/lbVV3zYciRH NyvpynfcTcgORHNpAIxXDaZ7sd48/v7hHLarcR5kxuY0T75XOTGOKTOlFvb4XmcY HZR2wSWSBteKezB5uK47A6uhwtvPokV0Owk9xPmBV+LPXkW4 =pnqV ----END PGP PUBLIC KEY BLOCK----
PGP uses two different types of keys: public and private. The public key, as its name suggests, can be shared with anyone. The key shown above is, in fact, a public key. The private key, as its name suggests, should be kept a secret. PGP creates keys in pairs—one private and one public. A key pair must remain a pair; if one is lost, the other by itself is useless. Why? Because the two keys have an interesting property that can be exploited in two ways:
Page 419
In the case of sending messages in total privacy, the key pairs are used in the first manner. It allows two people to exchange private messages without first exchanging any "secret codes." The only requirement is that each know the other's public key.
However, for RPM, the second method is the important one. Let's say a company needs to send you a document and you'd like to make sure it really did come from them. If the company first encrypted the file with its private key and sent it to you, you would have an encrypted file you couldn't read.
Or could you? If you have the company's public key, you should be able to decrypt it. In fact, if you can't, you can be sure that the message you received did not come from them! (Or at least that it didn't make it to you unchanged.)
It is this feature that is used by RPM. By using PGP's public key encryption, it is possible to not only prove that a package file came from a certain person or persons, but also that it was not changed somewhere along the line.
In a word, no. Rather than being encrypted, RPM package files possess digital signatures. This is a way of using encryption to attach a signature (again, basically a large number) to some information, such that
In the case of RPM, the information being signed is the contents of the .rpm file itself.
A digital signature is just like a regular signature. It doesn't obscure the contents of the document being signed; it just provides a method of determining the authenticity of a document. Here is an example of a digital signature turned into printable text:
----BEGIN PGP SIGNATURE---- Version: 2.6.3a Charset: noconv iQCVAwUBMXVGMFIa2NdXHZJZAQFe4AQAz0FZrHdH8o+zkIvcI/4ABg4gfE7cG0xE Z2J9GVWD2zi4tG+s1+IWEY6Ae17kx925JKrzF4Ti2upAwTN2Pnb/x0G8WJQVKQzP mZcD+XNnAaYCqFz8iIuAFVLchYeWj1Pqxxq0weGCtjQIrpzrmGxV7xXzK0jus+6V rML3TxQSwdA= =T9Mc ----END PGP SIGNATURE----
Page 420
Again, no. In a perfect world, every .rpm file would be signed. However, RPM has no formal requirement that this be the case. There is also no requirement that you do anything special with a signed .rpm file. Think of it as an extra feature that you can take advantage of, or not—it's strictly your choice.
PGP has a wealth of features, 99% of which we will not cover in this book. For more information on the basics of encryption, see Applied Cryptography, by Bruce Schneier, which contains a wealth of information on the subject. For more details on PGP specifically, O'Reilly's PGP: Pretty Good Privacy by Simson Garfinkel is an excellent reference.
If you'd rather surf the Net, use your favorite World Wide Web index to hunt for crypto or PGP, and you'll be in business.
To use RPM's PGP-related capabilities, you'll need to have PGP installed on your system. If it's installed already, you should be able to flip to the chapters on verifying package signatures and signing packages and be in business in a matter of minutes. Otherwise, read on for a thumbnail sketch of what's required to install PGP.
The first step in being able to verify .rpm files is to get a copy of PGP. Unfortunately, this is not quite as simple as it might sound. The reason is that PGP is very controversial stuff.
Why the controversy? It centers on PGP's primary mission: to provide a means of communicating with others in complete privacy. As we've discussed, PGP uses encryption to provide this privacy. Good encryption. Very good encryption. Encryption so good, it appears that some of the world's governments consider PGP a threat to their national security.
Various countries have differing stands on the use of "strong encryption" products such as PGP. In some countries, possession of encryption software is strictly forbidden. Other countries attempt to control the flow of encryption technology into (or out of) their countries. It is vital that you know your country's laws, lest you find yourself in prison, or possibly in front of a firing squad!
Page 421
Over and above PGP's legal status, there are other aspects to PGP that people living in the U.S. and Canada should keep in mind:
Pretty Good Privacy, Inc.
2121 S. El Camino Real
Suite 902
San Mateo, CA 94403
Phone: 415-572-0430
Fax: 415-572-1932
http://www.pgp.com/
While people outside the United States and Canada can use RSAREF-based PGP, they will probably choose the so-called international version. This version replaces RSAREF with software known as MPILIB. MPILIB is, in general, faster than RSAREF, but it cannot legally be used in the United States or Canada.
To summarize, if you are using PGP for commercial purposes in the United States or Canada, you'll need to purchase it. Otherwise, people living in the United States or Canada should use a version of PGP incorporating RSAREF. People in other countries can use any version of PGP they desire, although they'll probably choose the MPILIB-based international version. (Note that there are no commercial restrictions regarding PGP in countries other than the United States and Canada.)
The official source for the latest version of PGP based on RSAREF is the Massachusetts Institute of Technology. Due to the restrictions on the export of encryption technology, the process is somewhat convoluted. The easiest way to obtain PGP from the official MIT archive is to use the World Wide Web. Point your Web browser to
http://web.mit.edu/network/pgp.html
Simply follow the steps, and you'll have the necessary software on your system in no time.
Page 422
There is a more cumbersome method that doesn't use the Web. It involves first using anonymous FTP to obtain several files of instructions and license agreements. You will then be directed to use telnet to obtain the name of a temporary FTP directory containing the PGP software. Finally, you can use anonymous FTP to retrieve the software. To start this process, FTP to
net-dist.mit.edu
and then change the directory to
/pub/PGP
Obtain a copy of the file README and follow the instructions in it exactly.
If all this seems like too much trouble, there is another alternative. You can find copies of PGP on just about any BBS, FTP, or Web site advertising freely available software. Be aware, however, that Floyd's Storm Door and BBS Company may not be as trustworthy a place as MIT to obtain encryption software. It's really a question of how paranoid you are.
For people living in other countries, it is much easier to find PGP (depending on the legality of encryption software, of course). Try any of the places you'd normally look for free software. Keep in mind, however, that you shouldn't download PGP from any sites in the U.S. Doing so is considered an "export" of munitions, and can get the people responsible for the site in deep trouble. Wherever you eventually get PGP, since the patents that complicate matters for the United States do not apply abroad, you'll probably end up with the international version of PGP.
Building PGP is mostly a matter of following instructions. However, users of ELF-based Linux distributions (such as Red Hat Linux) will find that PGP will not build. The problem, according to the PGP FAQ, is that two files do not properly handle the C preprocessor directives that affect support for ELF. The changes are to two files: 80386.S and zmatch.S. Near the beginning of each, you'll find either an #ifndef or an #ifdef for SYSV. If you find
#ifndef SYSV
it should be changed to read
#if !defined(SYSV) && !defined(__ELF__)
If you find
#ifdef SYSV
it should be changed to read
#if defined(SYSV) || defined(____ELF____)
Page 423
After you make these changes, PGP should build with no problems.
After building and installing PGP, you're ready to start using RPM's package-signature capabilities. If your primary interest is in checking the signatures on packages built by someone else, see Chapter 7, "Using RPM to Verify Package Files," which will tell you everything you need to know.
On the other hand, if you are a package builder and would like to start signing packages, see Chapter 17, "Adding PGP Signatures to a Package," and it will have you signing packages in no time.
Page 424